# 创建时间：2025/5/10 星期六 12:47
# 创建人：李德才


import pymysql

conn = pymysql.connect(host='localhost', user='root', password='123456', database='archser', charset='utf8', port=3306)
cursor = conn.cursor()

""" 正常查询 """
username = "admin"
password = '123456'
sql = "select * from as_user where username='%s' and password='%s' ;" % (username, password)
execute = cursor.execute(sql)
for row in cursor.fetchall():
    print(row)

"""
#
SQL注入
select *
from as_user
where username = 'admin '
   or 1 = 1 # ' and password='错误密码' ;
# 号后面的内容会被注释掉
"""
username = "admin ' or 1=1 # "
sql = "select * from as_user where username='%s' and password='%s' ;" % (username, password)
print(sql)
execute = cursor.execute(sql)
for row in cursor.fetchall():
    print(row)

""" 防止SQL注入  """
username = "admin'or 1=1 # "
password = '123456'
sql = "select * from as_user where username=%s and password=%s ;"
params = (username, password)
execute = cursor.execute(sql, params)
try:
    for row in cursor.fetchall():
        print(row)
except  Exception as e:
    print(e)

cursor.close()
conn.close()
